fix(permutation): make bitwise_permute constant-time

The previous `bitwise_permute` used `BitArray::get_unchecked(secret_index)`
to read bits at secret-derived positions. Even though all sized bit
arrays here fit in a single cache line (≤16 bytes), the secret-indexed
load is still a microarchitectural hazard — port pressure and other
intra-cache-line side channels can leak the index on some CPUs.

Reimplement as: unpack to one byte per bit (MSB-first), permute through
the now-constant-time `permute_array` primitive, repack. This routes the
bit-level operation through the same scan-and-mask machinery that
already protects element-wise permutation.

Secret intermediates (`bytes`, `bits`, `permuted`) are wrapped in
`Zeroizing<_>` for unwind safety, matching the pattern in elementwise.

Drops the direct `bitvec` usage in this file; the `BitArray` machinery
is no longer needed.

Bench results extended to cover bitwise_permute. Overhead: 28×–199×
across N=8..128, in line with the elementwise result.

Author: coderdan

packages/permutation/examples/bench_permute.rs

@@ -5,7 +5,7 @@
 use std::hint::black_box;
 use std::time::Instant;
 use subtle::{ConditionallySelectable, ConstantTimeEq};
-use vitaminc_permutation::{PermutationKey, Permute};
+use vitaminc_permutation::{BitwisePermute, PermutationKey, Permute};
 use vitaminc_random::{Generatable, SafeRand, SeedableRng};
 
 fn permute_old<const N: usize>(key_bytes: &[u8; N], input: [u8; N]) -> [u8; N] {
@@ -70,11 +70,81 @@ where
     );
 }
 
+fn bitwise_old<const N: usize, const ARR: usize>(
+    key_bytes: &[u8; N],
+    bytes: [u8; ARR],
+) -> [u8; ARR] {
+    // Reference variable-time impl: secret-indexed bit reads.
+    let mut out = [0u8; ARR];
+    for i in 0..N {
+        let k = key_bytes[i] as usize;
+        let bit = (bytes[k / 8] >> (7 - (k % 8))) & 1;
+        out[i / 8] |= bit << (7 - (i % 8));
+    }
+    out
+}
+
+fn bench_bitwise<const N: usize, const ARR: usize, T>(label: &str, iters: u32, sample: T)
+where
+    PermutationKey<N>: BitwisePermute<N, T> + Generatable + Permute<[u8; N]>,
+    T: Copy,
+    [u8; N]: AsRef<[u8]>,
+{
+    let mut rng = SafeRand::from_seed([42; 32]);
+    let key: PermutationKey<N> = PermutationKey::random(&mut rng).unwrap();
+    let identity: [u8; N] = std::array::from_fn(|i| i as u8);
+    let key_bytes: [u8; N] = key.permute(identity);
+    let mut bytes = [0u8; ARR];
+    for (i, b) in bytes.iter_mut().enumerate() {
+        *b = if i % 2 == 0 { 0xAA } else { 0x55 };
+    }
+
+    for _ in 0..1000 {
+        black_box(bitwise_old::<N, ARR>(
+            black_box(&key_bytes),
+            black_box(bytes),
+        ));
+        black_box(key.bitwise_permute(black_box(sample)));
+    }
+
+    let t0 = Instant::now();
+    for _ in 0..iters {
+        black_box(bitwise_old::<N, ARR>(
+            black_box(&key_bytes),
+            black_box(bytes),
+        ));
+    }
+    let old_ns = t0.elapsed().as_nanos() as f64 / iters as f64;
+
+    let t0 = Instant::now();
+    for _ in 0..iters {
+        black_box(key.bitwise_permute(black_box(sample)));
+    }
+    let new_ns = t0.elapsed().as_nanos() as f64 / iters as f64;
+
+    println!(
+        "{label:>12}: old(idx) {old_ns:>7.1} ns | new(scan) {new_ns:>7.1} ns | overhead {:>5.2}x",
+        new_ns / old_ns
+    );
+}
+
 fn main() {
     let iters = 500_000;
+    println!("== elementwise permute ==");
     bench::<8>("N=8", iters);
     bench::<16>("N=16", iters);
     bench::<32>("N=32", iters);
     bench::<64>("N=64", iters);
     bench::<128>("N=128", iters);
+
+    println!("\n== bitwise permute ==");
+    bench_bitwise::<8, 1, u8>("N=8", iters, 0xAAu8);
+    bench_bitwise::<16, 2, u16>("N=16", iters, 0xAAAAu16);
+    bench_bitwise::<32, 4, u32>("N=32", iters, 0xAAAA_AAAAu32);
+    bench_bitwise::<64, 8, u64>("N=64", iters, 0xAAAA_AAAA_AAAA_AAAAu64);
+    bench_bitwise::<128, 16, u128>(
+        "N=128",
+        iters,
+        0xAAAA_AAAA_AAAA_AAAA_AAAA_AAAA_AAAA_AAAAu128,
+    );
 }

packages/permutation/src/bitwise.rs

@@ -1,7 +1,6 @@
-use crate::PermutationKey;
-use bitvec::{array::BitArray, order::Msb0};
+use crate::{elementwise::permute_array, PermutationKey};
 use std::num::{NonZeroU128, NonZeroU16, NonZeroU32, NonZeroU64, NonZeroU8};
-use zeroize::Zeroize;
+use zeroize::{Zeroize, Zeroizing};
 
 // TODO: Make this a private trait
 // FIXME: This trait is backwards - self should be T and the argument should be a key
@@ -13,19 +12,25 @@ macro_rules! impl_bitwise_permutable {
     ($N:literal, $int_type:ty, $array_size:expr) => {
         impl BitwisePermute<$N, $int_type> for PermutationKey<$N> {
             fn bitwise_permute(&self, mut input: $int_type) -> $int_type {
-                let bytes = input.to_be_bytes();
-                let arr: BitArray<[u8; $array_size], Msb0> = BitArray::new(bytes);
-                let out: BitArray<[u8; $array_size], Msb0> = self.iter().enumerate().fold(
-                    BitArray::new([0; $array_size]),
-                    |mut out, (i, k)| {
-                        out.set(i, *unsafe { arr.get_unchecked(k) });
-                        out
-                    },
-                );
-
+                // Unpack the input into one byte per bit (MSB-first), permute
+                // the bit-vector through the constant-time `permute_array`
+                // primitive, then re-pack. The previous implementation used
+                // `bitvec::get_unchecked(secret_index)` which performs a
+                // secret-dependent bit load; even though the bit array fits in
+                // a single cache line, this defends against intra-cache-line
+                // microarchitectural leaks (port pressure, etc.).
+                let bytes = Zeroizing::new(input.to_be_bytes());
+                let mut bits: Zeroizing<[u8; $N]> = Zeroizing::new([0u8; $N]);
+                for j in 0..$N {
+                    bits[j] = (bytes[j / 8] >> (7 - (j % 8))) & 1;
+                }
+                let permuted = Zeroizing::new(permute_array(self, *bits));
+                let mut out = [0u8; $array_size];
+                for j in 0..$N {
+                    out[j / 8] |= (permuted[j] & 1) << (7 - (j % 8));
+                }
                 input.zeroize();
-
-                <$int_type>::from_be_bytes(out.into_inner())
+                <$int_type>::from_be_bytes(out)
             }
         }
     };